I experienced the following error when trying to start winlogbeat as a service:
Windows could not start the winlogbeat service on Local Computer. Error 1053: The service did not respond to the start or control request in a timely fashion.
I Installed the service using "-ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1."
It said it installed successfully, but then fails to start with the above error.
I tested my config using ".\winlogbeat.exe test config -c .\winlogbeat.yml -e -v", and was able to successfully publish events to logstash using SSL.
The issue I was having was due to a relative path in the ssl section of the logstash certificates:
tls:
certificate_authorities: ["logstash-forwarder.crt"]
When I tried entering the absolute path using double quotes like so:
tls:
certificate_authorities: ["C:/ProgramData/winlogbeat/logstash-forwarder.crt"]
The configtest failed with the error "yaml: lin 109: found enknown escape character"
The simplest solution I found to this issue was to use single quotes instead of double:
tls:
certificate_authorities: ['C:/ProgramData/winlogbeat/logstash-forwarder.crt]
This solution then passed the config test and was also able to run in the background with 'Start-Service winlogbeat"
Hopefully my struggles and frustration can be used to help someone else in a similar situation.
It would be nice if elastic could add the following to the documentation for SSL with logstash on winlogbeat:
- Reiterate the need for an absolute path in order to start winlogbeat as a service
- Include the need for single quotes to work with escape characters in windows paths i.e. 'C:/Program Files/...' (The documentation examples are currently set up with linux paths and double quotes i.e. "/etc/pki/tls/....", which is not helpful for winlogbeat/Windows)